What You Need To Know About Data Privacy

Virginia L. Gibson, David Bender and Jon F. Doyle

White & Case LLP

SummaryThis session will focus on: (i) the scope of the EU Directive on data privacy; (ii) the member countries and the local restrictions; (iii) the enforcement of the local data privacy restrictions; (iv) the U.S. safe harbor alternatives; and (v) the general practice of similar companies in complying with the EU Directive on data privacy and the local restrictions.

Biographies

Virginia L. Gibson – White & Case LLP Ms. Gibson is a partner in the Palo Alto and San Francisco offices of White & Case LLP. She received her B.A. from the University of California at Berkeley in 1972 and her J.D. from the University of California, Hastings College of the Law in 1977. Ms. Gibson’s practice features the representation of clients in global and U.S. employment law, personal data privacy and workplace privacy matters. Through these practice areas, Ms. Gibson has advised numerous employers on the nuances of local laws concerning privacy matters and drafting document, personal information and workplace privacy policies.Ms. Gibson’s other areas of practice include the representation of clients in: (i) global equity programs; (ii) cross-border financial services such as investment management, brokerage and banking; (iii) transactional representation involving stock compensation, executive compensation and employee benefit issues arising in acquisitions and mergers, loans, reorganizations, and other business transactions; (iv) plan design and implementation; and (v) investment product development.Ms Gibson has served as a member of the Executive Committee of the Tax Section of the California State Bar Association and as President of the San Francisco Chapter of the Western Pension & Benefits Conference. She is a frequent writer and lecturer for the National Association of Stock Plan Professionals, the National Center for Employee Ownership, the State Association of Country Retirement Systems, the California State Bar Association, the California Bankers Association, Northern California Trust Association, San Francisco Bar Association and the Western Pension & Benefits Conference.

.

Biographies, continued

David Bender – White & Case LLP Mr. Bender is a partner in the New York office of White & Case LLP specializing in the areas of intellectual property and information technology. Mr. Bender has extensive experience in contracting, litigation and counseling. He negotiates and drafts all types of agreements relating to internet, computer software and hardware matters. He also litigates computer-related disputes and directs intellectual property due diligence investigations. A registered U.S. patent attorney, Mr. Bender has represented a variety of corporations in the area of computer software and services. Over the past 15 years, he has drafted and supervised some 200 computer software and service agreements of all types and degrees of complexity for such clients as Avis Rent-A-Car, Aramco, Bankers Trust, Deutsche Bank, The Markle Foundation, NYNEX, NTT and Swiss Bank as well as many small software firms and banks.Mr. Bender is the author of Computer Law: Software Protection and Litigation and of a number of law review articles on topics relating to computer, intellectual property and antitrust law. He has been a guest speaker at more than 150 seminars in the United States and in a dozen other countries. He is also the president of the Computer Law Association.Mr. Bender is admitted to practice in the District of Columbia Bar, New York State Bar and the United States Courts of Appeals for the Second, Third, Fourth, Fifth, Ninth and Federal Circuits. Mr. Bender received his B.S. from Brown University, J.D. from University of Pennsylvania, LL.M., in Patent Law, and S.J.D., in Computer Law, from George Washington University.

Jon F. Doyle – White & Case LLPJon F. Doyle is an attorney in the Palo Alto and San Francisco offices of White & Case LLP and a member of the global equity compensation and financial services group. Mr. Doyle has advised multi-national companies and financial institutions on the tax, securities, foreign exchange, labor, data privacy and e-commerce issues encountered in each country where the relevant company offers stock option, stock purchase, restricted stock, phantom stock, stock appreciation right, cash bonus, venture capital and directed share plans to its employees, directors and consultants.Mr. Doyle has also represented clients in the following areas: (i) cross-border financial services such as investment management, brokerage and banking; (ii) transactional representation involving stock compensation, executive compensation and employee benefit issues arising in acquisitions and mergers, loans, reorganizations, and other business transactions; (iii) plan design and implementation; (iv) investment product development; (v) data privacy compliance; (vi) cross-border labor and employment matters; and (vii) cross-border entity formation.Prior to receiving his law degree, Mr. Doyle worked as a Certified Public Accountant for Ernst & Young in Chicago. Mr. Doyle received an LL.M. in taxation from the University of Florida College of Law in 1995, a J.D. in 1993 from the University of Iowa College of Law, and a B.B.A. in accounting in 1990 from the University of Iowa. He is a member of the California Bar, the District of Columbia Bar Association, the Florida Bar, and the State Bar of Georgia, the National Association of Stock Plan Professionals and the Western Pension & Benefits Conference.

Outline of Presentation Data Protection in the United States

Statutes Self-regulation

Employer’s monitoring rights in the US EU Directive National data privacy laws Data Transfer from the EU

Compliance alternatives

The Blunt Truth?

“You have zero privacy anyway. Get over it.”

Scott McNealyChief Executive OfficerSun MicrosystemsJanuary 25, 1999

Hysteria?

“... there’s a new hysteria on ... privacy. People are beating the drum, [although] the average person has far more privacy today than a century ago .... This hysteria is misplaced.” Thomas Leary, Commissioner Federal Trade Commission June 5, 2001

Two Different Approaches Europe

EU Data Protection Directive implemented by detailed national legislation in each Member State

US Relatively little legislation, with self-regulation

and enforcement of deceptive practices legislation for failing to comply with announced privacy policy

Summary of US Data Protection Law

Three sources of US Data Protection “Law”Specific statutes

Examples: GLB, HIPPA, COPPAThe Federal Trade Commission

FTC Act FTC “Guidelines”

EU Privacy Directive transfer restrictions

The Statutory Landscape Most US companies favor “self-regulation” There are no generally applicable statutes Existing statutes adopt a piecemeal, sector-

specific approach Statutes exist at both federal and state levels Most sectors lack specific regulation

Specific Statutes Fair Credit Reporting Act Gramm-Leach-Bliley Act of 1999 Children’s Online Privacy Protection Act of

1998 (“COPPA”) Health Insurance Portability and

Accountability Act of 1996 (“HIPAA”) Video Privacy Protection Act of 1988

The Federal Trade Commission “... unfair or deceptive acts or practices in or affecting commerce, are

hereby declared unlawful.” 15 USC Sec. 45(a)(1)

“The [FTC] is hereby empowered and directed to prevent persons ... from using ... unfair or deceptive acts or practices in or affecting commerce.” Id. at Sec. 45(a)(2)

Statute permits action by FTC (but not private party)

Statutory remedy: Cease and desist order (but no damages, and no order to post privacy policy)

Activities of the FTC Three Data Protection reports to Congress

(June 1998, July 1999, May 2000) May 2000 report to Congress identified four

“core” principlesNoticeChoiceAccessSecurity

FTC Recommendation 1998 and 1999 Reports recommended self-

regulation The 2000 Report recommended legislation

Legislation should be general and technologically neutral

Invites continued self-regulation programs and seal programs

But FTC did an about-face in 2001

Gramm-Leach-Bliley Act Applies to institutions providing “financial

services” (broadly defined)Banks Insurance companies Investment houses

But also may apply to:Retailer issuing its own credit cardsPersonal property or real estate appraiserAuto dealer that leases for more than 90 days

GLB Act Applicability (continued)Career counselor who advises employees or

ex-employees of financial organizationBusiness that prints and sells checks for

consumersEntity that provides real estate settlement

servicesTax return preparation service

Not Impacted by G-L-B Data that is not consumer data Data that is not personally identifying data Transfers of data among affiliates But:

Fair Credit Reporting Act governs transfers between affiliates

Proposed legislation would subject affiliates to G-L-B Act

G-L-B Act Requirements Before disclosure to non-affiliate, must inform

consumer of proposed disclosure, that consumer may prohibit it, and how to do so

Exceptions: consumer consented; necessary to effect transaction consumer authorized; to protect against fraud; to resolve customer disputes; in connection with transfer of the business

No pre-emption of stricter State laws

G-L-B Act Principles Two principles: notice and opt-out Consumer must have reasonable period in

which to opt out But consumer cannot opt out of sharing

with affiliates or with processors Financial institution may not disclose

account numbers to non-affiliates

Observation and Question Under present US law, unless (i) your website is

directed to children, (ii) you deal with a sector where privacy is regulated, or (iii) you need to process data from the EU, then all you need do to avoid privacy liability is keep your mouth shut (i.e., don’t announce a policy).

Why, then, are so many companies that don’t fall into (i), (ii) or (iii) announcing policies?

Self-Regulation In the absence of statutes governing them

(and to forestall new legislation that would govern them), companies are promoting self-regulation.

There are various ways to do this, including use of industry associations and seal organizations.

Online Privacy Alliance Cross-industry coalition of over 100 global

companies, created in 1998 Sponsors include: AOL, AT&T, Cisco,

Compaq, IBM, Lexis, Microsoft, Yahoo Goal: promote online privacy A leading voice of the private sector

regarding online privacy policy

Online Privacy Alliance Guidelines Members’ privacy policy must conform to

the five precepts of the GuidelinesAdoption/implementation of a privacy policyNotice and disclosureChoice/consentData securityData quality and access

Enforcement Framework Needed to assure compliance Verification and monitoring Consumer complaint resolution Education and outreach Support for third party enforcement

programs that award symbols (“seals”)

Seal Programs Independent organizations created for this

purpose Examples: BBBOnline, Truste, and CPA

WebTrust Purpose: to enhance consumer confidence in e-

commerce - “Good Housekeeping” analogy Seal organization works with online client to

develop privacy policy and statement to reflect information collection–dissemination–choice–access–security practices.

Seal Programs (continued) Client agrees to adhere to this statement, and

its website carries seal symbol (click to verify) with link to client’s privacy statement.

Annual fee in range of $100 – $10,000 based on client’s size.

Seal organization may offer ADR facility. Some seal organizations offer a special mark

for children’s websites.

Seal Programs (continued) Seal organization engages in passive and

active monitoring. Seal organization receives and investigates

consumer complaints. If seal organization believes site has violated

statement, its agent investigates. If noncompliant, seal organization advises

and assists.

Seal Programs (continued) In event of continued noncompliance,

withdraw seal. In certain situations, seal organization may

report client to FTC. Seal organization may display on its

website information regarding complaints filed against its clients.

Perception of Seal Programs By industry: quite valuable — Why?

Because it may help avoid further governmental regulation

Because e-commerce will not thrive absent a high degree of consumer confidence

By consumers: much higher degree of confidence

Some Practical Suggestions1. The website owner should bind the user to the

Terms of Use. By simply posting the Terms of Use, the owner may

be bound. But the user may not be bound. Post the Terms of Use conspicuously, in non-legalese,

and not intermingled with other matters. Require the user to agree by clicking on a button (no

click, no use). Properly drafted Terms that are properly portrayed on

the site and agreed to (“clickwraps”) are enforceable.

Suggestions2. Avoid making overly broad statements in

the privacy policy. Examples:Instead of “Your data will not be disclosed

without your consent,” why not try “Unless required by law, we won’t authorize disclosure of your data without your consent.”

Instead of “The data you give us is entirely secure,” how about “We use security techniques standard in our industry to safeguard your data.”

Suggestions3. If your website contains hyperlinks to other

sites, note conspicuously in your privacy statement that your privacy policy does not apply to websites to which the user transfers through those hyperlinks. Your statement should advise the user that, for a statement as to the privacy policy of each such site, the user must address that site’s privacy statement.

Suggestions4. In the posted Terms of Use governing the

website, include an arbitration clause. Most consumer privacy victims will have minimal

damages. Significant consumer privacy judgments will

generally occur only in class actions. A properly drafted arbitration clause in the Terms

of Use will likely avert a class action.

Conclusion1. US privacy law is presently a collection of sector–specific statutes,

backed up by an FTC right to order a cessation of deceptive statements.

2. General privacy legislation may or may not be on the horizon. If so, its form is presently indistinct.

3. It has become commercially expedient for a website to state a privacy policy.

4. By carefully framing the site’s privacy policy, and Terms of Use, liability may be limited.

Non-Privacy Problems Arising from Employee Use of E-Mails/Internet

Legal Problems:DefamationCopyright infringementHarassmentOwnership disputes as to software and content created

using employer equipment and services Commercial Problems:

Network slowdown Inattention to work

Employer Monitoring of Employee Use of E-Mail/Internet

The Question: To what extent may an employer lawfully monitor employee use of e-mail or the Internet?

The Answer: It depends. The critical Issue: Did the employee have

an “expectation of privacy”?

Electronic Communications Privacy Act (1986)

General prohibition of unauthorized interception, access, or disclosure of e-communications

Applies to private parties, government and police Distinguishes between access to transmission

(covered), and access to storage (not covered) Does not prohibit employer access to stored data Other factors: state privacy laws, union and

employee agreements

Importance of a Privacy Policy A properly drafted privacy policy, appropriately communicated

to employees, can negate an expectation of privacy.

It should be in writing.

If you will monitor employee use, state the extent to which you will do so in the policy.

Educate employees about the policy, and periodically remind them.

Privacy Policy (continued) Post a notice at employee log-in and require

acknowledgement: E-mail [Internet messages] transmitted through this system is not private. [State nature of permitted use.]

Describe e-mail retention practice.

Indicate how employer may use e-mails accessed.

EU Directive Countries within the EU are required to adopt

national data privacy legislation.

The Directive does not take precedence over existing national labor, tax and personnel laws.

Companies must be aware that some EU countries have data privacy requirements which exceed the requirements of the Directive.

“Personal Data” Personal Data is any data that identifies a natural

person (as opposed to an entity). Examples of “personal data” for employment matters

name address salary date of birth marital status length of service status of changes (e.g., disability, leave of absence, retirement,

termination) tax ID#

Impact of Data Privacy Laws on HR Recruitment, screening, assessment of candidates Access control to buildings and computers Payroll Performance reviews Benefits (e.g., stock option, stock purchase,

retirement, bonus, etc.) Disciplinary actions Company directories

Personal Data May Be Processed: With the unambiguous consent of the employee As part of an employee contract Due to an employer’s legal obligation In order to protect the vital interests of the

employee To perform a task carried out in the public

interest or in the exercise of official authority If the “legitimate interests” of the employer or a

third party are an issue.

Data Protection Principles To process and use data, it must be relevant and have a

specific purpose. The data can be held no longer than necessary. The data should be correct and kept up current. Employees must be notified as to the purpose of the data

processing, and the identities of the data controller (e.g., employer) and any third-party recipients.

Appropriate security measures should be taken to protect the data.

Employees need access to the data, the ability to correct errors and the right to object to some types of processing.

Special CategoriesProcessing of “special categories” is prohibited unless the employee explicitly consents or it is necessary to carry out certain obligations or “legitimate activities”

Ethnic origin Labor union membership Religious or other beliefs Physical or mental health Criminal convictions Sex life Political opinions or affiliations

Transfer of Personal Data The transfer of data within the EU is

unrestricted. Member states must prevent data transfers

to countries lacking “adequate” privacy protections.

There is no clear standard of what constitutes “adequate” protection.

Data transfers permissible despite inadequate protection if:

Unambiguous consent of employee Necessary for performance of contract between

employer and employee Legally required on important public interest

grounds or in defense of legal claims To protect vital interests of the employee Information is already available to the public

PitfallsU.S. companies and their EU subsidiaries may face:

Disruption of data flowsFinesCriminal actionsSuspension of business operations in EU

member statesPrivate lawsuitsNegative publicity

National Data Privacy Laws EU Directive intended to establish

minimum privacy standards National laws vary from country-to-country Consent required to process or transfer data Registration with local privacy authorities

France Written consent required for collection,

processing and transfer of data Declare data to Commission Nationale de

L’Informatique et des Libertés (“CNIL”) prior to collection and processing

Transfer agreement must be filed with CNIL

Germany Personal data must not be stored, used or

transmitted without employee’s consentUse of personal data permissible if within

scope or directly connected with employment relationship

Conservative approach is to obtain written consent

Automated databases must be registered

Italy Notification of Garante per la Protezione de

Dati Personali (“Garante”) required before the processing and transfer of data.

Employees must be informed of processing and transfer of personal data.

The Netherlands Notification required unless data covered by

Exemption Regulation Exemption Regulation applicable to certain employee

information and to data “necessary to calculate allowance and other payment and remuneration in-kind”.

Data covered by Exemption Regulation cannot be stored longer than two years after termination of employment.

Employee consent required for transfer of data to the US

United Kingdom No notification required if data processed

for purposes of “staff administration” Employee consent required for transfer of

data to the US

Compliance Alternatives Safe harbor Standard contractual clauses Employee consent

“Safe Harbor” Agreement Enables U.S. based employers to comply

with EU Directive Enables the EU to certify that participating

U.S. companies meet the EU requirements for adequate privacy protection

“Safe Harbor” Principles Notice Choice Onward transfer Security Data integrity Access Enforcement

For “Safe Harbor” Protection, the Employer Must: Subject itself to jurisdiction of the Federal

Trade Commission (“FTC”) Revise or create a privacy policy in compliance

with the safe harbor principles Publicly disclose its privacy policy Unambiguously and publicly disclose its

commitment to comply with the safe harbor principles

Self-Certification to Department of Commerce Self-certification by sending a letter to the U.S.

Department of Commerce, signed by corporate officer, containing the specifics of the company’s compliance with safe harbor principles

Participation in safe harbor is voluntary U.S. Department of Commerce maintains a list at

www.export.gov/safeharbor/ of companies that agree to subscribe to the safe harbor principles

Standard Contractual Clauses Alternatives to safe harbor Compliance with designation similar to

those of the EU Directive Joint & several liability for sender &

recipient Subject to jurisdiction of EU member states

Employee Consent Consent to data processing Consent to data transfer

Getting Started Review/develop privacy policies and

practices Designate a chief privacy officer Review compliance in specific countries